Compartilhar via


When your data is dirty, just start over...

I was in a meeting this afternoon, where someone proposed a security solution which could basically be summed up as:  "Let's build a new forest, and move all the users and resources into it."  Most everyone around the table started shaking their heads in agreement...after all, the forest is the Active Directory security boundary and if the one you've got isn't working then get a new one right?  Well, unfortunately...being the guy who would have to design, implement it, and work with the operations teams to support it...I had to ask the question... Why do we need a new forest?

The answer really surprised me, not because of the bold technical genius behind it, but because of it's stark simplicity.  I was told that our existing production forest was "too dirty, and couldn't be cleaned."  Heck, who can argue with THAT!  If your forest is dirty, then that makes even more sense that you would toss it out, run down to the local "Active Directory SuperStore" and pick up a new one.  I was thinking we should get a six-pack, just so we had some spares.

In all seriousness though, I think the dumbfounded look on my face actually offended some people.  After all, I knew what he intended.  The idea was that it was going to take a lot of work to understand the existing settings and how they would need to be changed to accomodate the new business requirements, workflows, etc...  The problem was that they didn't want to see whether the cost required for the new forest solution was more or less than "cleaning" out our existing forest, or for that matter even figuring out what the new configuration should be...therefore..."dirty"

So the moral of this story is, if you want to promote an idea or solution, claiming that the "data is dirty" may just be your ticket to success...  At least if you can walk out before someone asks you what that means.  :)

Comments

  • Anonymous
    October 21, 2005
    I usually throw my clothes out when they get dirty, so I don't see what the problem is...

    The problem of course is that the magnitude of cleaning the "dirt" is unconfrontable, so it seems easier to start over. There is no equivalent of a washing machine in the AD world. Wouldn't that be cool? Large load, warm wash, cool rinse, EXTRA BLEACH! Whiter whites and brighter brights! Your DACLs are as clean as the day they were propagated!

    Maybe its not so far-fetched, if we could just codify what constitutes "dirt". Good luck with that.

    -gil

  • Anonymous
    October 21, 2005
    I think I took this to be a little different than just a matter of perms. I think there was also the issue of settings that have been made over the years. Something like plaque build-up.

    It just strikes me that the people that suggested it didn't have an idea about the level of effort required to create new. Old = figure out how things should be set and make it that way. New = figure out how things should be set, build it, and then make it that way.

    Interesting style of writing though Brian. Looking forward to more. Maybe that garage door operator of Bldg 7 could start a blog as well. Might be worth reading. ;)

    -ajm

  • Anonymous
    October 21, 2005
    I think the moral of the story is the fact the real problem has to do with OPERATIONS (or lack there of) and the "dirty" AD is a symptom of the problem. I guarantee if a new Forest was implemented, you'd be back in the same situation within 18 - 24 months.

  • Anonymous
    October 21, 2005
    The comment has been removed

  • Anonymous
    October 26, 2005
    The comment has been removed

  • Anonymous
    November 04, 2005
    I encounter this all the time at customers. It's a mess, so start over. They forget that they NEED TO CLEANUP ANYWAY. Permissions all wrong? Obsolete accounts? Strange policies?

    Sort it out, and see what the quickest solutions is. Unless your AD is totally hosed I bet it is cheaper to keep the old one.

    This 'cleanup' argument is purely emotional. It's like buying a new car, a nice fuzzy feeling of a job well done. That's not a business argument though.

  • Anonymous
    March 10, 2007
    <a href='http://films.eoe1o.info/download-film-indonesia.html'>download film indonesia</a>

  • Anonymous
    March 19, 2007
    <a href="http://dvdfilms.jedo.info/counterforce-download-film.html">counterforce download film</a>

  • Anonymous
    March 20, 2007
    <a href='http://tvinternet.jedo.info/digital-internet-tv.html'>digital internet tv</a>

  • Anonymous
    March 29, 2007
    <a href=" http://ultramcheap.vatw.info/action-class-ultram.html ">action class ultram</a>

  • Anonymous
    October 02, 2007
    The comment has been removed

  • Anonymous
    October 02, 2007
    The comment has been removed